Re: Logs for API calls

[Jim Rx]

Matthieu,

 

The commands work independently...if I use the command "New-GuacUser -DataSource mysql -Parameters $GuacParameters" to create a single user, it works fine. I start getting the error when I put the command into a foreach loop and pull in names from a text file.

 

Other functions, like "Add-GuacUserConnection" in a foreach loop work just fine.

 

I will open an issue on github as you ask.

 

Still, if there is a log someplace that can show me these API calls, it might help reveal what the issue is.

 

Jim

 
 

Sent: Thursday, April 21, 2022 at 12:42 PM
From: "Matthieu Courtois" 
To: user@guacamole.apache.org
Subject: Re: Logs for API calls



Hello,

 

Please open an issue on Github, I will check what is going on

 

UpperM

 


Le jeu. 21 avr. 2022 à 15:36, Jim Rx <jimr...@mail.com> a écrit :




Hello,

 

I am using a powershell guacamole module from UpperM on GitHub that seems to work very well. However, I've been having trouble with adding groups of users. The server returns an HTTP 500 Internal Server Error. Does Guacamole keep logs specific to API cals? I'm hoping to see what is causing the error.

 

Thanks

 

Jim


- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org






-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Logs for API calls

[Jim Rx]

Hello,

 

I am using a powershell guacamole module from UpperM on GitHub that seems to work very well. However, I've been having trouble with adding groups of users. The server returns an HTTP 500 Internal Server Error. Does Guacamole keep logs specific to API cals? I'm hoping to see what is causing the error.

 

Thanks

 

Jim

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How To have multiple LDAP servers?

[Jim Rx]

Johnathan,

 

I will give it a try. It would be nice to know the logic/process Guacamole uses in this case.

 

Thanks

 

Jim

 
 

Sent: Wednesday, March 23, 2022 at 10:25 AM
From: "Hankins, Jonathan" 
To: user@guacamole.apache.org
Subject: Re: How To have multiple LDAP servers?


Jim,
 

What LDAP server are you using? Are you wanting multiple LDAP servers for fault-tolerance / load balancing? If you are using AD LDAP, you can use the DNS name of the domain instead of individual DCs and you will get DNS round robin. I am not sure how the LDAP library that Guacamole uses handles this, and I don't know if it has any logic to, e.g., try the 2nd IP if the first one doesn't respond. You could probably also handle this kind of situation with a load balancer (like haproxy) in front of your LDAP.

 

If you are trying to authenticate against multiple, different LDAP domains (i.e., users in domain 1 OR users in domain 2), that'd be up to guacamole to support, and I don't see anything indicating that in the documentation.

 

If you are in an AD situation where you have multiple domains all in one forest and want to query across the forest, you can do that by querying the Global Catalog port instead of the normal LDAP port, and enabling following of referrals, I think. Your search filter would have to be permissive enough to work for both domains, but not over-match, since you only get one search filter.

 

Good luck!

 


On Tue, Mar 22, 2022 at 6:53 AM Jim Rx <jimr...@mail.com> wrote:




We came upon this requirement yesterday -- how to I configure guacamole.properties so that there are multiple LDAP servers available to query? Can I simply have more than one ldap-hostname entries?

 

Thanks

 

Jim


- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org

 

 
--


Jonathan Hankins

Homewood City Schools

W: 205-877-4548


This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments are prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

How To have multiple LDAP servers?

[Jim Rx]

We came upon this requirement yesterday -- how to I configure guacamole.properties so that there are multiple LDAP servers available to query? Can I simply have more than one ldap-hostname entries?

 

Thanks

 

Jim

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: is there any method to remove "guacamole" in web url

[Jim Rx]

Use a proxy. For example, we have NGINX set up to forward web requests to https://guac.domain.tld/ to https://guac.domain.tld:8080/guacamole/ . The user only has to type in the https://guac.domain.tld

 

 


Here is a web page that talks about it

 

How to Set up a Reverse Proxy (Step-By-Step for Nginx & Apache)

 

Sent: Tuesday, March 01, 2022 at 2:18 AM
From: "Simon" 
To: "user@guacamole.apache.org" 
Subject: is there any method to remove "guacamole" in web url



hello,

in default, we visit guac in browser, root web rul contain "guacamole".

is there any method to remove "guacamole" in web url?

 

 

thx

 

 





-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

Craig,

 

I verified that guacd is running (systemctl status guacd) and then issued the command telnet localhost 4822. I successfully connected.

 

root@guac:~# telnet localhost 4822

Trying ::1...

Trying 127.0.0.1...

Connected to localhost.

Escape character is ^]'.

 

I pressed enter and the connection was 'closed by foreign host'

 

So it appears that 4822 is available on the localhost.

 

Thanks,

 

Jim

 
 

Sent: Monday, February 28, 2022 at 12:34 PM
From: "Craig Sawyer" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet

Could this be a firewall thing? Can you open a TCP connection to
127.0.0.1:4822?

You obviously won't do anything useful, since you won't speak the
guacd protocol, but that's not the point. Just make sure you can open
a network connection to guacd. If you can't, then FW or perhaps guacd
isn't really opening the port it says it is, etc. will require some
troubleshooting.

Hope this helps,
-Craig

On Mon, Feb 28, 2022 at 8:59 AM Jim Rx  wrote:
>
> Nick,
>
> Yes, Guac and Tomcat are on the same VM.
>
> As requested:
>
> root@guac:~# ls /etc/guacamole
> extensions guacamole.properties guacamole.war guacd.conf lib user-mapping.xml
> root@guac:~#
> root@guac:~# cat /etc/guacamole/guacamole.properties
> # Hostname and Guac Server Port
> guacd-hostname: 127.0.0.1
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
> auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
> # MySQL properties
> mysql-hostname: localhost
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: SuperSecret
> mysql-auto-create-accounts: true
>
> # LDAP Properties
> ldap-hostname: 1.2.3.4
> ldap-port: 389
> ldap-encryption-method: none
> ldap-user-base-dn: DC=domain,DC=tld
> ldap-username-attribute: samAccountName
> ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=domain, dc=tld
> ldap-search-bind-password: SuperSecret
> ldap-user-search-filter: (sAMAccountType=805306368)
>
> root@guac:~# cat /etc/guacamole/guacd.conf
> [server]
> bind_host = 127.0.0.1
> bind_port = 4822
> root@guac:~#
> root@guac:~# systemctl status guacd tomcat9
> ? guacd.service - LSB: Guacamole proxy daemon
> Loaded: loaded (/etc/init.d/guacd; generated)
> Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago
> Docs: man:systemd-sysv-generator(8)
> Process: 806 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS)
> Tasks: 1 (limit: 4639)
> Memory: 9.9M
> CPU: 22ms
> CGroup: /system.slice/guacd.service
> +-814 /usr/local/sbin/guacd -p /var/run/guacd.pid
> Feb 28 10:52:43 guac systemd[1]: Starting LSB: Guacamole proxy daemon...
> Feb 28 10:52:43 guac guacd[812]: Guacamole proxy daemon (guacd) version 1.4.0 started
> Feb 28 10:52:43 guac guacd[806]: Starting guacd:
> Feb 28 10:52:43 guac guacd[812]: guacd[812]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started
> Feb 28 10:52:43 guac guacd[806]: SUCCESS
> Feb 28 10:52:43 guac systemd[1]: Started LSB: Guacamole proxy daemon.
> Feb 28 10:52:43 guac guacd[814]: Listening on host 127.0.0.1, port 4822
> ? tomcat9.service - Apache Tomcat 9 Web Application Server
> Loaded: loaded (/lib/systemd/system/tomcat9.service; enabled; vendor preset: enabled)
> Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago
> Docs: https://tomcat.apache.org/tomcat-9.0-doc/index.html
> Process: 817 ExecStartPre=/usr/libexec/tomcat9/tomcat-update-policy.sh (code=exited, status=0/SUCCESS)
> Main PID: 822 (java)
> Tasks: 38 (limit: 4639)
> Memory: 305.0M
> CPU: 16.325s
> CGroup: /system.slice/tomcat9.service
> +-822 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties -Djava.util.logging.manager=org.apache>
> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.701 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.702 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1>
> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.704 [http-nio-8080-exec-2] INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
> Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.705 [http-nio-8080-exec-2] I

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

Nick,

 

Yes, Guac and Tomcat are on the same VM. 

 

As requested:

 


root@guac:~# ls /etc/guacamole
extensions  guacamole.properties  guacamole.war  guacd.conf  lib  user-mapping.xml
root@guac:~#
root@guac:~# cat /etc/guacamole/guacamole.properties
# Hostname and Guac Server Port
guacd-hostname: 127.0.0.1
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

# MySQL properties

mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: SuperSecret
mysql-auto-create-accounts: true

 

# LDAP Properties
ldap-hostname: 1.2.3.4
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: DC=domain,DC=tld
ldap-username-attribute: samAccountName
ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=domain, dc=tld
ldap-search-bind-password: SuperSecret
ldap-user-search-filter: (sAMAccountType=805306368)


root@guac:~# cat /etc/guacamole/guacd.conf
[server]
bind_host = 127.0.0.1
bind_port = 4822
root@guac:~#
root@guac:~# systemctl status guacd tomcat9
? guacd.service - LSB: Guacamole proxy daemon
 Loaded: loaded (/etc/init.d/guacd; generated)
 Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago
   Docs: man:systemd-sysv-generator(8)
    Process: 806 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS)
  Tasks: 1 (limit: 4639)
 Memory: 9.9M
    CPU: 22ms
 CGroup: /system.slice/guacd.service
 +-814 /usr/local/sbin/guacd -p /var/run/guacd.pid

Feb 28 10:52:43 guac systemd[1]: Starting LSB: Guacamole proxy daemon...
Feb 28 10:52:43 guac guacd[812]: Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 10:52:43 guac guacd[806]: Starting guacd:
Feb 28 10:52:43 guac guacd[812]: guacd[812]: INFO:    Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 10:52:43 guac guacd[806]: SUCCESS
Feb 28 10:52:43 guac systemd[1]: Started LSB: Guacamole proxy daemon.
Feb 28 10:52:43 guac guacd[814]: Listening on host 127.0.0.1, port 4822

? tomcat9.service - Apache Tomcat 9 Web Application Server
 Loaded: loaded (/lib/systemd/system/tomcat9.service; enabled; vendor preset: enabled)
 Active: active (running) since Mon 2022-02-28 10:52:43 CST; 2min 1s ago
   Docs: https://tomcat.apache.org/tomcat-9.0-doc/index.html
    Process: 817 ExecStartPre=/usr/libexec/tomcat9/tomcat-update-policy.sh (code=exited, status=0/SUCCESS)
   Main PID: 822 (java)
  Tasks: 38 (limit: 4639)
 Memory: 305.0M
    CPU: 16.325s
 CGroup: /system.slice/tomcat9.service
 +-822 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties -Djava.util.logging.manager=org.apache>

Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.701 [http-nio-8080-exec-2] INFO  o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.702 [http-nio-8080-exec-2] INFO  o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO  o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.703 [http-nio-8080-exec-2] INFO  o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1>
Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.704 [http-nio-8080-exec-2] INFO  o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.705 [http-nio-8080-exec-2] INFO  o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4>
Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.705 [http-nio-8080-exec-2] INFO  o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06002_REGISTERED_INTERMEDIATE_FACTORY (1.3.6.1.>
Feb 28 10:53:04 guac tomcat9[822]: 10:53:04.867 [http-nio-8080-exec-2] INFO  o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from 12>
Feb 28 10:53:12 guac tomcat9[822]: 10:53:12.438 [http-nio-8080-exec-5] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.
Feb 28 10:53:22 guac tomcat9[822]: 10:53:22.502 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd tim>
root@guac:~#

 


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

Yes. No output to the console. Just to be sure I ran it again:

 


root@guac:~# systemctl status guacd
? guacd.service - LSB: Guacamole proxy daemon
 Loaded: loaded (/etc/init.d/guacd; generated)
 Active: active (running) since Mon 2022-02-28 10:24:47 CST; 45s ago
   Docs: man:systemd-sysv-generator(8)
    Process: 524 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS)
  Tasks: 1 (limit: 4639)
 Memory: 13.5M
    CPU: 15ms
 CGroup: /system.slice/guacd.service
 +-594 /usr/local/sbin/guacd -p /var/run/guacd.pid

Feb 28 10:24:46 guac systemd[1]: Starting LSB: Guacamole proxy daemon...
Feb 28 10:24:47 guac guacd[527]: Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 10:24:47 guac guacd[524]: Starting guacd:
Feb 28 10:24:47 guac guacd[527]: guacd[527]: INFO:    Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 10:24:47 guac guacd[524]: SUCCESS
Feb 28 10:24:47 guac systemd[1]: Started LSB: Guacamole proxy daemon.
Feb 28 10:24:47 guac guacd[594]: Listening on host 127.0.0.1, port 4822
root@guac:~#
root@guac:~#
root@guac:~# systemctl stop guacd
root@guac:~#
root@guac:~# systemctl status guacd
? guacd.service - LSB: Guacamole proxy daemon
 Loaded: loaded (/etc/init.d/guacd; generated)
 Active: inactive (dead) since Mon 2022-02-28 10:25:41 CST; 4s ago
   Docs: man:systemd-sysv-generator(8)
    Process: 524 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS)
    Process: 746 ExecStop=/etc/init.d/guacd stop (code=exited, status=0/SUCCESS)
    CPU: 23ms

Feb 28 10:24:47 guac guacd[524]: Starting guacd:
Feb 28 10:24:47 guac guacd[527]: guacd[527]: INFO:    Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 10:24:47 guac guacd[524]: SUCCESS
Feb 28 10:24:47 guac systemd[1]: Started LSB: Guacamole proxy daemon.
Feb 28 10:24:47 guac guacd[594]: Listening on host 127.0.0.1, port 4822
Feb 28 10:25:41 guac systemd[1]: Stopping LSB: Guacamole proxy daemon...
Feb 28 10:25:41 guac guacd[746]: Stopping guacd: SUCCESS
Feb 28 10:25:41 guac systemd[1]: guacd.service: Succeeded.
Feb 28 10:25:41 guac systemd[1]: guacd.service: Unit process 594 (guacd) remains running after unit stopped.
Feb 28 10:25:41 guac systemd[1]: Stopped LSB: Guacamole proxy daemon.
root@guac:~#
root@guac:~#
root@guac:~# ss -alnp | grep guacd
root@guac:~#
root@guac:~#
root@guac:~#
root@guac:~# ./usr/local/sbin/guacd -L debug -f
bash: ./usr/local/sbin/guacd: No such file or directory
root@guac:~#
root@guac:~# /usr/local/sbin/guacd -L debug -f
guacd[765]: INFO:   Guacamole proxy daemon (guacd) version 1.4.0 started
guacd[765]: DEBUG:  Successfully bound AF_INET socket to host 127.0.0.1, port 4822
guacd[765]: INFO:   Listening on host 127.0.0.1, port 4822


 > > > connection attempts result in "you have been disconnected" < < <

^C
root@guac:~# systemctl status guacd
? guacd.service - LSB: Guacamole proxy daemon
 Loaded: loaded (/etc/init.d/guacd; generated)
 Active: inactive (dead) since Mon 2022-02-28 10:25:41 CST; 2min 17s ago
   Docs: man:systemd-sysv-generator(8)
    Process: 524 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCESS)
    Process: 746 ExecStop=/etc/init.d/guacd stop (code=exited, status=0/SUCCESS)
    CPU: 23ms

Feb 28 10:24:47 guac guacd[524]: Starting guacd:
Feb 28 10:24:47 guac guacd[527]: guacd[527]: INFO:    Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 10:24:47 guac guacd[524]: SUCCESS
Feb 28 10:24:47 guac systemd[1]: Started LSB: Guacamole proxy daemon.
Feb 28 10:24:47 guac guacd[594]: Listening on host 127.0.0.1, port 4822
Feb 28 10:25:41 guac systemd[1]: Stopping LSB: Guacamole proxy daemon...
Feb 28 10:25:41 guac guacd[746]: Stopping guacd: SUCCESS
Feb 28 10:25:41 guac systemd[1]: guacd.service: Succeeded.
Feb 28 10:25:41 guac systemd[1]: guacd.service: Unit process 594 (guacd) remains running after unit stopped.
Feb 28 10:25:41 guac systemd[1]: Stopped LSB: Guacamole proxy daemon.
root@guac:~#
root@guac:~#
root@guac:~# ss -alnp | grep guacd
root@guac:~#
root@guac:~#
root@guac:~#
root@guac:~# tail -10 /var/log/syslog
Feb 28 10:25:07 guac systemd[1]: Started Session 1 of user theadmin.
Feb 28 10:25:07 guac systemd[1]: Started Session 3 of user theadmin.
Feb 28 10:25:41 guac systemd[1]: Stopping LSB: Guacamole proxy daemon...
Feb 28 10:25:41 guac guacd[746]: Stopping guacd: SUCCESS
Feb 28 10:25:41 guac systemd[1]: guacd.service: Succeeded.
Feb 28 10:25:41 guac systemd[1]: guacd.service: Unit process 594 (guacd) remains running after unit stopped.
Feb 28 10:25:41 guac systemd[1]: Stopped LSB: Guacamole proxy daemon.
Feb 28 10:26:38 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 10:26:38 guac guacd[765]: Successfully bound AF_INET socket to host 127.0.0.1, port 4822
Feb 28 10:26:38 guac guacd[765]: Listening on host 127.0.0.1, port 4822
root@guac:~#
root@guac:~# tail -10 /var/log/tomcat9/catalina.out
[2022-02-28 10:27:05] [info] 

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

el request failed: Connection to guacd timed out.
[2022-02-28 08:46:09] [info] 08:46:09.524 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.
root@guac:~#

 

 

Sent: Monday, February 28, 2022 at 8:30 AM
From: "Nick Couchman" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



On Mon, Feb 28, 2022 at 9:02 AM Jim Rx <jimr...@mail.com> wrote:





Nick,

 

Sorry for the delayed reply, We had ice storms and it kept me from work.

 

So I'm not really any further.

 

I killed guacd (systemctl stop guacd), and then, as root, from the /etc/init.d directory, ran ./guacd start -L debug -f

 




 

No, this won't work - you'll want the path to the actual guacd binary, not the init script. The path to the binary can be found in the init script, but it's different from the script. May be something like /usr/local/sbin/guacd or /usr/sbin/guacd, something like that.

 

-Nick







-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

Nick,

 

Sorry for the delayed reply, We had ice storms and it kept me from work.

 

So I'm not really any further.

 

I killed guacd (systemctl stop guacd), and then, as root, from the /etc/init.d directory, ran ./guacd start -L debug -f

 

I'm not getting anything on console, but checking journalctl -xe I see the same "no such tunnel" and "connection to guacd timed out" messages

 

BTW - this is on Debian 11, if that has any bearing

 

Thanks

 

Jim

 

 



root@guac:/etc/init.d# ./guacd start -L debug -f
Starting guacd: guacd[4427]: INFO:  Guacamole proxy daemon (guacd) version 1.4.0 started
SUCCESS


root@guac:/etc/init.d# journalctl -xe
Feb 28 07:53:42 guac systemd[1]: Stopping LSB: Guacamole proxy daemon...
¦¦ Subject: A stop job for unit guacd.service has begun execution
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ A stop job for unit guacd.service has begun execution.
¦¦
¦¦ The job identifier is 3112.
Feb 28 07:53:42 guac guacd[4422]: Stopping guacd: SUCCESS
Feb 28 07:53:42 guac systemd[1]: guacd.service: Succeeded.
¦¦ Subject: Unit succeeded
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ The unit guacd.service has successfully entered the 'dead' state.
Feb 28 07:53:42 guac systemd[1]: guacd.service: Unit process 4354 (guacd) remains running after unit stopped.
Feb 28 07:53:42 guac systemd[1]: Stopped LSB: Guacamole proxy daemon.
¦¦ Subject: A stop job for unit guacd.service has finished
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ A stop job for unit guacd.service has finished.
¦¦
¦¦ The job identifier is 3112 and the job result is done.
Feb 28 07:53:55 guac guacd[4427]: Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 07:53:55 guac guacd[4429]: Listening on host 127.0.0.1, port 4822


root@guac:/etc/init.d# journalctl -xe
Feb 28 07:53:42 guac systemd[1]: Stopping LSB: Guacamole proxy daemon...
¦¦ Subject: A stop job for unit guacd.service has begun execution
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ A stop job for unit guacd.service has begun execution.
¦¦
¦¦ The job identifier is 3112.
Feb 28 07:53:42 guac guacd[4422]: Stopping guacd: SUCCESS
Feb 28 07:53:42 guac systemd[1]: guacd.service: Succeeded.
¦¦ Subject: Unit succeeded
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ The unit guacd.service has successfully entered the 'dead' state.
Feb 28 07:53:42 guac systemd[1]: guacd.service: Unit process 4354 (guacd) remains running after unit stopped.
Feb 28 07:53:42 guac systemd[1]: Stopped LSB: Guacamole proxy daemon.
¦¦ Subject: A stop job for unit guacd.service has finished
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ A stop job for unit guacd.service has finished.
¦¦
¦¦ The job identifier is 3112 and the job result is done.
Feb 28 07:53:55 guac guacd[4427]: Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 07:53:55 guac guacd[4429]: Listening on host 127.0.0.1, port 4822
Feb 28 07:54:28 guac tomcat9[4361]: 07:54:28.098 [http-nio-8080-exec-9] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.
Feb 28 07:54:38 guac tomcat9[4361]: 07:54:38.128 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd ti>


root@guac:/etc/init.d# journalctl -xe
Feb 28 07:53:42 guac systemd[1]: Stopping LSB: Guacamole proxy daemon...
¦¦ Subject: A stop job for unit guacd.service has begun execution
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ A stop job for unit guacd.service has begun execution.
¦¦
¦¦ The job identifier is 3112.
Feb 28 07:53:42 guac guacd[4422]: Stopping guacd: SUCCESS
Feb 28 07:53:42 guac systemd[1]: guacd.service: Succeeded.
¦¦ Subject: Unit succeeded
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ The unit guacd.service has successfully entered the 'dead' state.
Feb 28 07:53:42 guac systemd[1]: guacd.service: Unit process 4354 (guacd) remains running after unit stopped.
Feb 28 07:53:42 guac systemd[1]: Stopped LSB: Guacamole proxy daemon.
¦¦ Subject: A stop job for unit guacd.service has finished
¦¦ Defined-By: systemd
¦¦ Support: https://www.debian.org/support
¦¦
¦¦ A stop job for unit guacd.service has finished.
¦¦
¦¦ The job identifier is 3112 and the job result is done.
Feb 28 07:53:55 guac guacd[4427]: Guacamole proxy daemon (guacd) version 1.4.0 started
Feb 28 07:53:55 guac guacd[4429]: Listening on host 127.0.0.1, port 4822
Feb 28 07:54:28 guac tomcat9[4361]: 07:54:28.098 [http-nio-8080-exec-9] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.
Feb 28 07:54:38 guac tomcat9[4361]: 07:54:38.128 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd ti>
Feb 28 07:54:58 guac tomcat9[4361]: 07:54:58.541 [http-nio-8080-exec-5] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - 

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

I attempted several connections. All of them gave me a "disconnected" message

 


cat /var/log/tomcat9/catalina.out
[2022-02-23 09:40:19] [info] 09:40:19.112 [http-nio-8080-exec-6] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.
[2022-02-23 09:40:29] [info] 09:40:29.189 [http-nio-8080-exec-7] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.
[2022-02-23 09:40:34] [info] 09:40:34.615 [http-nio-8080-exec-9] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.
[2022-02-23 09:40:44] [info] 09:40:44.661 [http-nio-8080-exec-1] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.
[2022-02-23 09:40:52] [info] 09:40:52.261 [http-nio-8080-exec-4] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.
[2022-02-23 09:41:02] [info] 09:41:02.306 [http-nio-8080-exec-9] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.
[2022-02-23 09:41:06] [info] 09:41:06.449 [http-nio-8080-exec-3] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.

 

cat /var/log/syslog

Feb 23 09:39:41 guac systemd[1]: tomcat9.service: Succeeded.
Feb 23 09:39:41 guac systemd[1]: Stopped Apache Tomcat 9 Web Application Server.
Feb 23 09:39:41 guac systemd[1]: tomcat9.service: Consumed 16.601s CPU time.
Feb 23 09:39:41 guac systemd[1]: Starting Apache Tomcat 9 Web Application Server...
Feb 23 09:39:41 guac systemd[1]: Started Apache Tomcat 9 Web Application Server.
root@guac:/etc/guacamole#

 

Thank you

 

Jim

 

Sent: Wednesday, February 23, 2022 at 9:06 AM
From: "Nick Couchman" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



 
 


On Wed, Feb 23, 2022 at 9:26 AM Jim Rx <jimr...@mail.com> wrote:




Maybe there is an issue between tomcat and guacd? The full error message I'm receiving is as follows:

 

[date/time] [info] [time] [http-nio-8080-exec-10] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.

 

and

 

[date/time] [info] [time] [http-nio-8080-exec-2] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.

 

in the logs, the number following exec varies

 

Any thoughts?

 




 

What do the guacd logs say during this time (usually in syslog/journalctl)?

 

-NIck







-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

Maybe there is an issue between tomcat and guacd? The full error message I'm receiving is as follows:

 

[date/time] [info] [time] [http-nio-8080-exec-10] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.

 

and

 

[date/time] [info] [time] [http-nio-8080-exec-2] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.

 

in the logs, the number following exec varies

 

Any thoughts?

 

Thanks

 

Jim

 
 

Sent: Tuesday, February 22, 2022 at 2:58 PM
From: "Jim Rx" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



As a follow up, I've tested RDP directly to the target boxes and it works with no issues.
 

Sent: Tuesday, February 22, 2022 at 11:06 AM
From: "Jim Rx" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



 


Yes, it is running. I had to add the guacd.conf file to get it to stop listening to ::1 port 4822. It is now listening to 127.0.0.1 port 4822

 


root@guac:/home/theadmin# systemctl status guacd
● guacd.service - LSB: Guacamole proxy daemon
 Loaded: loaded (/etc/init.d/guacd; generated)
 Active: active (running) since Tue 2022-02-22 09:46:45 CST; 1h 17min ago
   Docs: man:systemd-sysv-generator(8)
    Process: 763 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCE>
  Tasks: 1 (limit: 4639)
 Memory: 13.7M
    CPU: 20ms
 CGroup: /system.slice/guacd.service
 └─767 /usr/local/sbin/guacd -p /var/run/guacd.pid

Feb 22 09:46:45 guac systemd[1]: Starting LSB: Guacamole proxy daemon...
Feb 22 09:46:45 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 s>
Feb 22 09:46:45 guac guacd[763]: Starting guacd:
Feb 22 09:46:45 guac guacd[765]: guacd[765]: INFO:    Guacamole proxy daemo>
Feb 22 09:46:45 guac guacd[763]: SUCCESS
Feb 22 09:46:45 guac systemd[1]: Started LSB: Guacamole proxy daemon.
Feb 22 09:46:45 guac guacd[767]: Listening on host 127.0.0.1, port 4822


 

Sent: Tuesday, February 22, 2022 at 10:51 AM
From: "Nick Couchman" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



On Tue, Feb 22, 2022 at 11:01 AM Jim Rx <jimr...@mail.com> wrote:





Hello,

 

So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck.

 

-The machines have IP connectivity

-Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out:

  HTTP tunnel request failed: Connection to guacd timed out

  HTTP tunnel request failed: No such tunnel

 

I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs.

 

Any suggestions where to look?

 




 

Is guacd running? If so, is it listening on the IPv4 address (127.0.0.1)? You may need to configure it to listen on IPv4 by setting up a guacd.conf file with the bind_host set to 127.0.0.1. Newer Linux distros tend to default to IPv6, particularly for loopback traffic, and this won't work between Tomcat and guacd by default.

 

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd

 

-Nick







- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org




- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

As a follow up, I've tested RDP directly to the target boxes and it works with no issues.
 

Sent: Tuesday, February 22, 2022 at 11:06 AM
From: "Jim Rx" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



 


Yes, it is running. I had to add the guacd.conf file to get it to stop listening to ::1 port 4822. It is now listening to 127.0.0.1 port 4822

 


root@guac:/home/theadmin# systemctl status guacd
● guacd.service - LSB: Guacamole proxy daemon
 Loaded: loaded (/etc/init.d/guacd; generated)
 Active: active (running) since Tue 2022-02-22 09:46:45 CST; 1h 17min ago
   Docs: man:systemd-sysv-generator(8)
    Process: 763 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCE>
  Tasks: 1 (limit: 4639)
 Memory: 13.7M
    CPU: 20ms
 CGroup: /system.slice/guacd.service
 └─767 /usr/local/sbin/guacd -p /var/run/guacd.pid

Feb 22 09:46:45 guac systemd[1]: Starting LSB: Guacamole proxy daemon...
Feb 22 09:46:45 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 s>
Feb 22 09:46:45 guac guacd[763]: Starting guacd:
Feb 22 09:46:45 guac guacd[765]: guacd[765]: INFO:    Guacamole proxy daemo>
Feb 22 09:46:45 guac guacd[763]: SUCCESS
Feb 22 09:46:45 guac systemd[1]: Started LSB: Guacamole proxy daemon.
Feb 22 09:46:45 guac guacd[767]: Listening on host 127.0.0.1, port 4822


 

Sent: Tuesday, February 22, 2022 at 10:51 AM
From: "Nick Couchman" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



On Tue, Feb 22, 2022 at 11:01 AM Jim Rx <jimr...@mail.com> wrote:





Hello,

 

So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck.

 

-The machines have IP connectivity

-Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out:

  HTTP tunnel request failed: Connection to guacd timed out

  HTTP tunnel request failed: No such tunnel

 

I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs.

 

Any suggestions where to look?

 




 

Is guacd running? If so, is it listening on the IPv4 address (127.0.0.1)? You may need to configure it to listen on IPv4 by setting up a guacd.conf file with the bind_host set to 127.0.0.1. Newer Linux distros tend to default to IPv6, particularly for loopback traffic, and this won't work between Tomcat and guacd by default.

 

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd

 

-Nick







- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

 


Yes, it is running. I had to add the guacd.conf file to get it to stop listening to ::1 port 4822. It is now listening to 127.0.0.1 port 4822

 


root@guac:/home/theadmin# systemctl status guacd
● guacd.service - LSB: Guacamole proxy daemon
 Loaded: loaded (/etc/init.d/guacd; generated)
 Active: active (running) since Tue 2022-02-22 09:46:45 CST; 1h 17min ago
   Docs: man:systemd-sysv-generator(8)
    Process: 763 ExecStart=/etc/init.d/guacd start (code=exited, status=0/SUCCE>
  Tasks: 1 (limit: 4639)
 Memory: 13.7M
    CPU: 20ms
 CGroup: /system.slice/guacd.service
 └─767 /usr/local/sbin/guacd -p /var/run/guacd.pid

Feb 22 09:46:45 guac systemd[1]: Starting LSB: Guacamole proxy daemon...
Feb 22 09:46:45 guac guacd[765]: Guacamole proxy daemon (guacd) version 1.4.0 s>
Feb 22 09:46:45 guac guacd[763]: Starting guacd:
Feb 22 09:46:45 guac guacd[765]: guacd[765]: INFO:    Guacamole proxy daemo>
Feb 22 09:46:45 guac guacd[763]: SUCCESS
Feb 22 09:46:45 guac systemd[1]: Started LSB: Guacamole proxy daemon.
Feb 22 09:46:45 guac guacd[767]: Listening on host 127.0.0.1, port 4822


 

Sent: Tuesday, February 22, 2022 at 10:51 AM
From: "Nick Couchman" 
To: user@guacamole.apache.org
Subject: Re: Problems with GuacamoleHTTPTunnelServlet



On Tue, Feb 22, 2022 at 11:01 AM Jim Rx <jimr...@mail.com> wrote:





Hello,

 

So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck.

 

-The machines have IP connectivity

-Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out:

  HTTP tunnel request failed: Connection to guacd timed out

  HTTP tunnel request failed: No such tunnel

 

I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs.

 

Any suggestions where to look?

 




 

Is guacd running? If so, is it listening on the IPv4 address (127.0.0.1)? You may need to configure it to listen on IPv4 by setting up a guacd.conf file with the bind_host set to 127.0.0.1. Newer Linux distros tend to default to IPv6, particularly for loopback traffic, and this won't work between Tomcat and guacd by default.

 

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-guacd

 

-Nick







-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Problems with GuacamoleHTTPTunnelServlet

[Jim Rx]

Hello,

 

So I've got 1.4.0 up and going. I'm now trying to connect and test to remote stations, and am having no luck.

 

-The machines have IP connectivity

-Attempts to connect (RDP) to both a Centos7 VM and a Windows10 VM fail. Two different messages show up in catalina.out:

  HTTP tunnel request failed: Connection to guacd timed out

  HTTP tunnel request failed: No such tunnel

 

I have the connections set up for IP/3389, No encryption, Any security type, and ignore the server certificate. I have verified that the RDP/XRDP service is running on both target VMs.

 

Any suggestions where to look?

 

Thanks

 

Jim

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Manual database update

[Jim Rx]

Thanks for the advice. I'm not yet fluent with using APIs, so discovering the APIs for Guacamole is a tall task I'm not ready to take on. So, back to the white board it is.

 

 




Sent: Tuesday, February 15, 2022 at 2:57 PM
From: "Craig Sawyer" 
To: user@guacamole.apache.org
Subject: Re: Manual database update

in the PG database, `
nextval('guacamole_entity_entity_id_seq'::regclass)`, i.e. the entity
ID is created for you, and you probably shouldn't mess with that.

You appear to be using MySQL and it's apparently due to MySQL Strict
Mode, whatever that is(not a MySQL user). You probably don't want to
turn it off, MySQL isn't known for being the best data safety steward
by default, so turning off the default on safety stuff seems like a
bad idea.

Instead I'd just add/delete users based on their username, which
should be unique across your organization anyway. You can always
figure out the entity ID if needed. i.e. use a null value for the ID,
and let the DB create the entity_id #'s for you.

For us, we use the somehwat undocumented API instead to do these
things from python code(any language possible), but it's exactly the
same use-case. We programatically setup guac users and connections
before the user ever connects to Guac as part of our sync users to HR
system.

-Craig

On Tue, Feb 15, 2022 at 12:34 PM Jim Rx  wrote:
>
> Hello - I am attempting to manually control the contents of the guacmole_entity, guacamole_user, and guacamole_connection_permission tables.
>
> My overall goal is the script the provisioning of connections. I would like to be in a position where our users can log in to guacamole and already have their connections defined and assigned to their profile.
>
> My planned approach to this is to create a txt/csv file with the proper entries for each of the tables, and then use those to manually load into the tables.
>
> I'm running into my first issue with the guacamole_entity table. As it stands, there is one entry in the table, entity_id 1, which is guacadmin.
>
> The reason I want to manually control the entity_id is so that I can reliably delete those entries when the group of users depart and their connections are no longer needed.
>
> I have a txt file with a few users in it, and I am attempting to manually define the entity_id. The text file for my tests looks like this:
> 101,2299Bbob,USER
> 102,2299JWill,USER
> 103,2299SDogg,USER
> 104,2299AUser,USER
>
> When I try to import this into the entity table, I receive an error that says I have an incorrect integer value. Specifically:
>
> ERROR 1366 (22007) at line 1: Incorrect integer value: '101' for colum `guacamole_db`.`guacamole_entity`.`entity_id` at row 1
>
> Any suggestions?
>
> Thanks
>
> Jim
> - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
 




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Manual database update

[Jim Rx]

Hello - I am attempting to manually control the contents of the guacmole_entity, guacamole_user, and guacamole_connection_permission tables.

 

My overall goal is the script the provisioning of connections. I would like to be in a position where our users can log in to guacamole and already have their connections defined and assigned to their profile.

 

My planned approach to this is to create a txt/csv file with the proper entries for each of the tables, and then use those to manually load into the tables.

 

I'm running into my first issue with the guacamole_entity table. As it stands, there is one entry in the table, entity_id 1, which is guacadmin.

 

The reason I want to manually control the entity_id is so that I can reliably delete those entries when the group of users depart and their connections are no longer needed.

 

I have a txt file with a few users in it, and I am attempting to manually define the entity_id. The text file for my tests looks like this:

101,2299Bbob,USER

102,2299JWill,USER

103,2299SDogg,USER

104,2299AUser,USER

 

When I try to import this into the entity table, I receive an error that says I have an incorrect integer value. Specifically:

 

ERROR 1366 (22007) at line 1: Incorrect integer value: '101' for colum `guacamole_db`.`guacamole_entity`.`entity_id` at row 1

 

Any suggestions?

 

Thanks

 

Jim

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: *LONG* Directly using SQL tables

[Jim Rx]

Johnathan,

 

I was over-complicating things. Salting the hashes is not a big deal (as I've discovered).

 

So the key to the whole thing working was the guacamole_user table. I had to add the entries there as well. The trick is the password_hash... the fields for the password_hash and password_salt are binary(32). So when I took our common starting point password "$UPER$ecret" and hashed it with SHA256 (I used on online hash tool), I had to divide the 64 hex characters it returned into two 32-character strings, one in the password_hash field and one in the password_salt field.

 

There are a couple more mandatory fields in that table and then it imports just fine. After that, as long as the users are in AD, they can log in just fine and they have connections set up.

 

The guacamole_user table works out to look like this in the csv file:

141,141,98FBF2243B9D9A9F93B7D87DAC20C8CD,CCB8315A0A5F02340A115F6A846113D0,2022-01-01 00:01:00,0,0,\N,\N,\N,\N,CST,\N,\N,\N,\N

 

So I can salt the hashes to protect the common starting password, and all is well.

 

Thanks again,

 

Jim


Sent: Thursday, January 13, 2022 at 1:14 PM
From: "Hankins, Jonathan" 
To: user@guacamole.apache.org
Subject: Re: *LONG* Directly using SQL tables


The docs indicate that the only thing required for auto-create to work, once it's enabled, is for a successful authentication from another extension, so I would expect that it should be creating accounts for you if they are successfully authenticating against LDAP. Haven't tested in our environment.
 

As far as adding unsalted passwords, make sure to heed the warning in the docs. Even if you are using the database accounts as "dummies" and they are all authenticating against LDAP, I *believe* that they can still auth against the database with the password in the DB, regardless of LDAP. May be wrong on that, but if that's right, and your DB was compromised, the unsalted hashes are easy to break. There is a code example in the docs about how to salt the hashes in MySQL.

 


On Thu, Jan 13, 2022 at 11:38 AM Jim Rx <jimr...@mail.com> wrote:




 


Johnathan,

 

Thanks for your reply.

 

I checked and you are right -- the import into the guacamole_entity table was successful, but there are no corresponding entries being created in the guacamole_user table.

 

We are using LDAP, and we have the auto-create option "mysql-auto-create-accounts: true" configured. I assume that if the account already exists in the database, then it's a push.

 

Since database authentication is "subordinate" to other authentication extensions, I think I'll try and add to the user table manually with unsalted gibberish passwords and see if it works.


 

Jim


Sent: Thursday, January 13, 2022 at 10:45 AM
From: "Hankins, Jonathan" <jhank...@homewood.k12.al.us>
To: user@guacamole.apache.org
Subject: Re: *LONG* Directly using SQL tables


I am using Postgres, but one thing I noticed that's different with my setup is I am not specifying the entity_id -- it is an auto-increment field in MySQL (serial in Postgres).
 
I think you don't have anything in the guacamole_user table for the entities you are creating. Have a look at:


 

https://guacamole.apache.org/doc/gug/jdbc-auth.html#users

 


Also, since you are using LDAP for auth, you may be able to shortcut all of this, have a look at:

 

https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users

 

 

 


 


On Tue, Jan 11, 2022 at 11:09 AM Jim Rx <jimr...@mail.com> wrote:




Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases.

 

Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory.

 

We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year.

 

Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything.

 

All authentication is pointed at our Windows Domain Controller using LDAP.

 

I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems).

 

When using this method, u

Re: *LONG* Directly using SQL tables

[Jim Rx]

Thanks for your response Craig.

 

Python may be the next step, although there is a learning curve for us. I'll keep this handy.

 

Thanks

 

Jim

 
 

Sent: Thursday, January 13, 2022 at 11:46 AM
From: "Craig Sawyer" 
To: user@guacamole.apache.org
Subject: Re: *LONG* Directly using SQL tables

What we do, instead of altering the DB directly, is use the API.
There is some python code running around, like
https://github.com/pschmitt/guacapy

to make changes to Guac. I'm guessing that code will need to be
updated for 1.4.0 by adding
"Content-Type":"application/x-www-form-urlencoded" to the headers.
(This is not tested or checked, just based on my personal observations
with my API code)

-Craig

On Thu, Jan 13, 2022 at 9:38 AM Jim Rx  wrote:
>
>
> Johnathan,
>
> Thanks for your reply.
>
> I checked and you are right -- the import into the guacamole_entity table was successful, but there are no corresponding entries being created in the guacamole_user table.
>
> We are using LDAP, and we have the auto-create option "mysql-auto-create-accounts: true" configured. I assume that if the account already exists in the database, then it's a push.
>
> Since database authentication is "subordinate" to other authentication extensions, I think I'll try and add to the user table manually with unsalted gibberish passwords and see if it works.
>
> Jim
> Sent: Thursday, January 13, 2022 at 10:45 AM
> From: "Hankins, Jonathan" 
> To: user@guacamole.apache.org
> Subject: Re: *LONG* Directly using SQL tables
> I am using Postgres, but one thing I noticed that's different with my setup is I am not specifying the entity_id -- it is an auto-increment field in MySQL (serial in Postgres).
>
> I think you don't have anything in the guacamole_user table for the entities you are creating. Have a look at:
>
> https://guacamole.apache.org/doc/gug/jdbc-auth.html#users
>
> Also, since you are using LDAP for auth, you may be able to shortcut all of this, have a look at:
>
> https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
>
>
>
>
> On Tue, Jan 11, 2022 at 11:09 AM Jim Rx  wrote:
>>
>> Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases.
>>
>> Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory.
>>
>> We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year.
>>
>> Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything.
>>
>> All authentication is pointed at our Windows Domain Controller using LDAP.
>>
>> I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems).
>>
>> When using this method, user login attempts fail with no apparent log entries (I think I checked them all... /var/etc/tomcat9/ catalina.out, localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log; /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log guac_error.log ).
>> If I only add the connection information (nothing in the entity or permissions tables) then the user can log in successfully, but I have to go back and manually add their connection information. I'd like to keep from doing things manually as possible.
>>
>> Below are the details of the configuration and the SQL commands I used in my attempts.
>>
>> Thank you
>>
>> Jim
>>
>> /etc/guacamole/guacamole.properties looks like this:
>> guacd-hostname: localhost
>> guacd-port: 4822
>> user-mapping: /etc/guacamole/user-mapping.xml
>> auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
>>
>> # MySQL properties
>> mysql-hostname: localhost
>> mysql-port: 3306
>> mysql-database: guacamole_db
>> mysql-username: guacamole_user
>> mysql-password: $UPER$ecret
>> mysql-auto-create-accounts: true
>

Re: *LONG* Directly using SQL tables

[Jim Rx]

 


Johnathan,

 

Thanks for your reply.

 

I checked and you are right -- the import into the guacamole_entity table was successful, but there are no corresponding entries being created in the guacamole_user table.

 

We are using LDAP, and we have the auto-create option "mysql-auto-create-accounts: true" configured. I assume that if the account already exists in the database, then it's a push.

 

Since database authentication is "subordinate" to other authentication extensions, I think I'll try and add to the user table manually with unsalted gibberish passwords and see if it works.


 

Jim


Sent: Thursday, January 13, 2022 at 10:45 AM
From: "Hankins, Jonathan" 
To: user@guacamole.apache.org
Subject: Re: *LONG* Directly using SQL tables


I am using Postgres, but one thing I noticed that's different with my setup is I am not specifying the entity_id -- it is an auto-increment field in MySQL (serial in Postgres).
 
I think you don't have anything in the guacamole_user table for the entities you are creating. Have a look at:


 

https://guacamole.apache.org/doc/gug/jdbc-auth.html#users

 


Also, since you are using LDAP for auth, you may be able to shortcut all of this, have a look at:

 

https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users

 

 

 


 


On Tue, Jan 11, 2022 at 11:09 AM Jim Rx <jimr...@mail.com> wrote:




Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases.

 

Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory.

 

We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year.

 

Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything.

 

All authentication is pointed at our Windows Domain Controller using LDAP.

 

I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems).

 

When using this method, user login attempts fail with no apparent log entries (I think I checked them all... /var/etc/tomcat9/ catalina.out, localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log; /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log guac_error.log ).

If I only add the connection information (nothing in the entity or permissions tables) then the user can log in successfully, but I have to go back and manually add their connection information. I'd like to keep from doing things manually as possible.

 

Below are the details of the configuration and the SQL commands I used in my attempts.

 

Thank you

 

Jim

 

/etc/guacamole/guacamole.properties looks like this:

guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider


# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: $UPER$ecret
mysql-auto-create-accounts: true

# LDAP Properties
ldap-hostname: 10.0.0.10
ldap-port: 389
ldap-encryption-method: none
#ldap-user-base-dn: OU=them, DC=our, DC=net
ldap-user-base-dn: DC=our,DC=net
ldap-username-attribute: samAccountName
ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=our, dc=net
ldap-search-bind-password: $UPER$ecret
#ldap-user-search-filter: (objectClass=user)(!(objectCategory=computer))
ldap-user-search-filter: (sAMAccountType=805306368)


The process that I attempted to use was as follows:

Create the required CSV files-

NEW_STUDENT_CONNECTION.csv:
284,NS-Linux-01,\N,rdp,\N,\N,\N,\N,\N,\N,0
285,NS-Linux-02,\N,rdp,\N,\N,\N,\N,\N,\N,0
286,NS-Linux-03,\N,rdp,\N,\N,\N,\N,\N,\N,0
287,NS-Linux-04,\N,rdp,\N,\N,\N,\N,\N,\N,0
314,NS-Windows-01,\N,rdp,\N,\N,\N,\N,\N,\N,0
315,NS-Windows-02,\N,rdp,\N,\N,\N,\N,\N,\N,0
316,NS-Windows-03,\N,rdp,\N,\N,\N,\N,\N,\N,0
317,NS-Windows-04,\N,rdp,\N,\N,\N,\N,\N,\N,0

 


NEW_STUDENT_CONNECTION_PARAMETERS.csv:
284,hostname,10.16.6.100
284,ignore-cert,true
284,port,3389
285,hostname,10.16.6.101
285,ignore-cert,true
285,port,3389
286,hostname,10.16.6.102
2

*LONG* Directly using SQL tables

[Jim Rx]

Greetings, I have a question about updating the database contents directly. Sorry for the length of the email, just trying to cover all the bases.

 

Our environment is using Guacamole 1.3 on a dedicated VM (VMware ESXi, 4 CPU, 16Gb RAM), leveraging SQL and LDAP/Active Directory.

 

We support a training company that will generally bring in 20 students at a time for class, several times over the course of a year.

 

Right now, we use generic "Student123" accounts associated with prebuilt connections and everything runs great. But we want to move to having students use their named logins (which means we'll also have to remove those entries at the end of class). The process of getting everything set up is pretty manual, so I'm looking for a way to script everything.

 

All authentication is pointed at our Windows Domain Controller using LDAP.

 

I have used CSV files and SQL commands in the past to add new connections (entries into the connections and connection_parameter tables). Those always show up in the Web UI just fine. I have not had any luck adding entries into the table with user names (entities) or the table with connections (connection_permissions). The rows are added to the table, but do not appear in the Web UI (this is being done ahead of a class starting, so the users are in AD but they have never logged on any of our systems).

 

When using this method, user login attempts fail with no apparent log entries (I think I checked them all... /var/etc/tomcat9/ catalina.out, localhost_access_log.-MM-DD.txt, localhost.-MM-DD.log; /var/log/syslog, /var/log/messages, /var/log/nginx/guac_access.log guac_error.log ).

If I only add the connection information (nothing in the entity or permissions tables) then the user can log in successfully, but I have to go back and manually add their connection information. I'd like to keep from doing things manually as possible.

 

Below are the details of the configuration and the SQL commands I used in my attempts.

 

Thank you

 

Jim

 

/etc/guacamole/guacamole.properties looks like this:

guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider


# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: $UPER$ecret
mysql-auto-create-accounts: true

# LDAP Properties
ldap-hostname: 10.0.0.10
ldap-port: 389
ldap-encryption-method: none
#ldap-user-base-dn: OU=them, DC=our, DC=net
ldap-user-base-dn: DC=our,DC=net
ldap-username-attribute: samAccountName
ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou=Administration, dc=our, dc=net
ldap-search-bind-password: $UPER$ecret
#ldap-user-search-filter: (objectClass=user)(!(objectCategory=computer))
ldap-user-search-filter: (sAMAccountType=805306368)


The process that I attempted to use was as follows:

Create the required CSV files-

NEW_STUDENT_CONNECTION.csv:
284,NS-Linux-01,\N,rdp,\N,\N,\N,\N,\N,\N,0
285,NS-Linux-02,\N,rdp,\N,\N,\N,\N,\N,\N,0
286,NS-Linux-03,\N,rdp,\N,\N,\N,\N,\N,\N,0
287,NS-Linux-04,\N,rdp,\N,\N,\N,\N,\N,\N,0
314,NS-Windows-01,\N,rdp,\N,\N,\N,\N,\N,\N,0
315,NS-Windows-02,\N,rdp,\N,\N,\N,\N,\N,\N,0
316,NS-Windows-03,\N,rdp,\N,\N,\N,\N,\N,\N,0
317,NS-Windows-04,\N,rdp,\N,\N,\N,\N,\N,\N,0

 


NEW_STUDENT_CONNECTION_PARAMETERS.csv:
284,hostname,10.16.6.100
284,ignore-cert,true
284,port,3389
285,hostname,10.16.6.101
285,ignore-cert,true
285,port,3389
286,hostname,10.16.6.102
286,ignore-cert,true
286,port,3389
287,hostname,10.16.6.103
287,ignore-cert,true
287,port,3389
314,hostname,10.16.6.130
314,ignore-cert,true
314,port,3389
315,hostname,10.16.6.131
315,ignore-cert,true
315,port,3389
316,hostname,10.16.6.132
316,ignore-cert,true
316,port,3389
317,hostname,10.16.6.133
317,ignore-cert,true
317,port,3389

 

 

NEW_STUDENT_ENTITY.csv:
141,2299shenry,USER
142,2299sjones,USER
143,2299bsmith,USER
144,2299gstetson,USER

 

 

NEW_STUDENT_CONNECTION_PERMISSIONS.csv:
141,284,READ
141,314,READ
142,285,READ
142,315,READ
143,286,READ
143,316,READ
144,287,READ
144,317,READ


Once the files were in place on the server, I ran the following commands:

 

mysql -u root
use guacamole_db;
LOAD DATA INFILE '/tmp/NEW_STUDENT_CONNECTION.csv' INTO TABLE guacamole_connection FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n';
LOAD DATA INFILE '/tmp/NEW_STUDENT_CONNECTION_PARAMETERS.csv' INTO TABLE guacamole_connection_parameter FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n';
LOAD DATA INFILE '/tmp/NEW_STUDENT_ENTITY.csv' INTO TABLE guacamole_entity FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n';
LOAD DATA INFILE '/tmp/NEW_STUDENT_CONNECTION_PERMISSIONS.csv' INTO TABLE guacamole_connection_permission FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n';
exit;

 

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For 

Re: New Active Directory users not showing in user list

[Jim Rx]

Mike,

 

Thank you for your detailed explanation. I believe all four conditions you've listed are true, and yet about 20 out of 150 users do not appear in the admin interface. We aren't having authentication issues. The users who don't appear in the webui can log in just fine. However, because they are not in the webui, I cannot assign connections to them, so when they log in they don't have anywhere to go. I will step through the conditions just to make sure I don't miss anything.

 

1) Guacadmin is in Active Directory as a standard user

2) Guacadmin is an admin user in the webui

3) The ldap-user binding in guacamole.properties is a service account assigned as a domain administrator in AD

4) The LDAP base is the entire domain, with a filter matching only normal user accounts (based on sAMAccountType). I can tell this is working because we have user accounts in the webui that come from different AD OU.

 


One might think that the disconnect between guacadmin as a normal user in LDAP and the SVC.GUACAMOLE account being a Domain Admin could cause issues... but the majority of the LDAP users do appear in and are manipulated/managed by the webui, specifically connetion assignments.

 

Any other information or analysis you might provide would be most appreciated. This system is in 'production', so I have limited ability to do more than view the configurations during the day for the next week or so, until we cycle down.

 

Thanks

 

Jim

 

Sent: Wednesday, August 25, 2021 at 4:06 PM
From: "Mike Jumper" 
To: user@guacamole.apache.org
Subject: Re: New Active Directory users not showing in user list



A user does not need to exist within the database to be able to log in, nor will they be automatically added to the database upon login.

 

The entry you see in the database is _not_ the user being created, nor is it the user being partially created. It's the system recording that a login for a user occurred. There is no database permissions issue.

 

To be clear, a user does not need to exist in the database for the user to be able to log in, nor do they need to exist in the database to be listed in the admin screen:

 

* If a user can log in, that means that at least one authentication extension recognizes that user's credentials and has validated their identity. If you only have a database extension installed, then yes, this means they exist in the database. If you have both LDAP and a database extension installed, then this means they exist in LDAP or the database, etc.

 

* If a user is listed in the admin interface, it means that the current user has permission to see that user according to at least one authentication extension. That user may exist in both LDAP and the database, they may exist only in LDAP, or they may exist only in the database.

 


* There is an option to automatically create database users, but this is not needed except when using an extension that requires storage for all users (the TOTP extension). You do not need to enable this option simply to be able to see users, log in as those users, etc.


 

If you are expecting to see LDAP users within the admin interface, but aren't, the way to troubleshoot that is not to execute queries against the database (which truly has nothing to do with LDAP), but to check the details of your user within LDAP.

 

To see an LDAP user within the admin interface, the following must be true:

 

1) You must log in with LDAP credentials, not database credentials. You will not be able to see LDAP objects of any kind unless your credentials are recognized by the LDAP server, as it's your access rights within LDAP that dictate visibility of LDAP objects.

 

2) You must log in with LDAP credentials that match a user with admin privileges in the database.

 

3) Your LDAP user must have permission within LDAP to retrieve the details of the user in question.

 

4) The user in question must match the declared LDAP structure within guacamole.properties. This means they must be beneath the declared user base DN. If you specified an LDAP user search filter within guacamole.properties, the user must match that, too.




 

Michael Jumper





CEO, Lead Developer

Glyptodon Inc.








 


On Wed, Aug 25, 2021 at 1:54 PM Jim Rx <jimr...@mail.com> wrote:




Nick,

 

Thanks for that explanation. You may see from other messages in the thread that the user I was testing with was showing up in the guacamole_user_history table with a user_id of NULL.

 

Without auto-create turned on, I'm confused as to how the accounts that do exist were created. I'm going to have to snapshot this VM and then adjust add the auto-create (after I read the reference you provided).

 

Along with that -- how do I verify that the guacamole_user has the proper privileges? I used the grant select,insert,update,delete sql command that many pages suggest... but those changes never stick, even after the flush privileges command.

 

Thanks

 

Jim

 
 

Sent: Wedn

Re: New Active Directory users not showing in user list

[Jim Rx]

Nick,

 

Thanks for that explanation. You may see from other messages in the thread that the user I was testing with was showing up in the guacamole_user_history table with a user_id of NULL.

 

Without auto-create turned on, I'm confused as to how the accounts that do exist were created. I'm going to have to snapshot this VM and then adjust add the auto-create (after I read the reference you provided).

 

Along with that -- how do I verify that the guacamole_user has the proper privileges? I used the grant select,insert,update,delete sql command that many pages suggest... but those changes never stick, even after the flush privileges command.

 

Thanks

 

Jim

 
 

Sent: Wednesday, August 25, 2021 at 3:35 PM
From: "Nick Couchman" 
To: user@guacamole.apache.org
Subject: Re: New Active Directory users not showing in user list



On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer  wrote:


Huh,  If they are logged into Guacamole, then they by definition have
a guac account, so I'm confused as to why they aren't showing up in
the list.  Perhaps someone else here will have some ideas.
 

 

There may be some confusion here as to what it means to "have a guac account." If you've enabled both the MySQL JDBC extension and the LDAP extensions, then users only need to exist in one of these two extensions in order to successfully authenticate. They do not have to be in both, and LDAP users do not have to have an entry in MySQL in order to successfully log in, nor does a successful login mean that the users will be automatically created - unless you enable this feature. See this manual page for more information:

 

http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create

 

Looking at the guacamole.properties output that was posted in the original question, I do not see the "mysql-auto-create-accounts" property anywhere, so Guacamole is not creating an entry for these users in the database.

 

Also, it's important to understand that the default "guacadmin" account in the JDBC extensions will have *no visibility* into the LDAP tree to see possible users, unless you happen to have an LDAP user called "guacadmin" with the same password that is in the JDBC account. The LDAP extension leverages LDAP security for both the login and the retrieval of user and group information from LDAP. This tends to trip people up a bit, but it is a very deliberate design of the LDAP extension - it does not use the Search Bind DN for all or even most LDAP operations - it only uses the Search Bind DN to find the user who is trying to log in - once it locates that user, it unbinds and then re-binds as that user account and continues to retrieve other user accounts, LDAP groups, and/or connection information stored in LDAP. This means that, in order to see users, groups, and connections from LDAP, the user logging in to Guacamole needs to be an LDAP user, and needs to successfully bind to LDAP.

 

-Nick







-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: New Active Directory users not showing in user list

[Jim Rx]

 


Craig,

 

I just looked at the guacamole_entity table and the user I'm logged in with is not present in the table. However -- I also looked at the guacamole_user_history table, and the user IS listed with a NULL in the user_id field. So it appears that the user is not being inserted into SQL.

 

So now I'm trying to figure how to get privileges to the guacamole_user in sql. I did the grant select,insert,update,delete on guacamole_db.* to 'guacamole_user'@'localhost' .. but no luck. guacamole_user doesn't exist in any of the tables in guacamole_db. That user does exist in the sql database, and shows no privileges.

 

 

Jim

 

Sent: Wednesday, August 25, 2021 at 3:21 PM
From: "Craig Sawyer" 
To: user@guacamole.apache.org
Subject: Re: New Active Directory users not showing in user list

Huh, If they are logged into Guacamole, then they by definition have
a guac account, so I'm confused as to why they aren't showing up in
the list. Perhaps someone else here will have some ideas.

The only thing that comes to mind at the moment is maybe MySQL is
being mean and not showing the new inserted record for some reason?
That would be odd, but it is MySQL, it's not known for sane behaviour
by default. Can you see the account record in the MySQL DB?

On Wed, Aug 25, 2021 at 1:12 PM Jim Rx  wrote:
>
> Yes - I'm doing this right now while a user who doesn't appear is logged in, and they are not present in the list.
>
> Sent: Wednesday, August 25, 2021 at 3:05 PM
> From: "Craig Sawyer" 
> To: user@guacamole.apache.org
> Subject: Re: New Active Directory users not showing in user list
> Did you refresh the web UI? (shift+click the reload button) it's not 100% live.
>
> -Craig
>
> On Wed, Aug 25, 2021 at 1:04 PM Jim Rx  wrote:
> >
> > Craig,
> >
> > Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account.
> >
> > Thanks,
> >
> > Jim
> >
> >
> > Sent: Wednesday, August 25, 2021 at 2:59 PM
> > From: "Craig Sawyer" 
> > To: user@guacamole.apache.org
> > Subject: Re: New Active Directory users not showing in user list
> > They won't show up until after they login. LDAP requests from Guac are
> > only triggered when an auth request happens. The corresponding guac
> > account will then be created on the fly as it were. There is no
> > "sync" between AD <-> Guac, except at login time.
> >
> > If they are unable to login, but everyone else can, then it's
> > probably one of two things:
> >
> > 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
> > see the new users
> > 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
> > not matching against this filter.
> >
> > -Craig
> >
> > On Wed, Aug 25, 2021 at 12:42 PM Jim Rx  wrote:
> > >
> > > Hello,
> > >
> > > I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation.
> > >
> > > I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy.
> > >
> > > /etc/guacamole.properties looks like this:
> > > ###
> > > guacd-hostname: localhost
> > > guacd-port: 4822
> > > user-mapping: /etc/guacamole/user-mapping.xml
> > > auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
> > >
> > > mysql-hostname: localhost
> > > mysql-port: 3306
> > > mysql-database: guacamole_db
> > > mysql-username: guacamole_user
> > > mysql-password: supersecretpassword
> > >
> > > ldap-hostname: 10.x.x.10
> > > ldap-port: 389
> > > ldap-encryption-method: none
> > > ldap-user-base-dn: DC=mynet, DC=local
> > > ldap-username-attribute: sAMAccountName
> > > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local
> > > ldap-search-bind-password: supersecretpassword
> > > ldap-user-search-filter: (sAMAccountType=805306368)
> > > ###
> > >
> > > right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked:
> > > /var/log/syslog
> > > /var/log/nginx/guac_access.log
> > > /var/log/nginx/guac_error.log
> > > /var/log/tomcat

Re: New Active Directory users not showing in user list

[Jim Rx]

Yes - I'm doing this right now while a user who doesn't appear is logged in, and they are not present in the list.
 

Sent: Wednesday, August 25, 2021 at 3:05 PM
From: "Craig Sawyer" 
To: user@guacamole.apache.org
Subject: Re: New Active Directory users not showing in user list

Did you refresh the web UI? (shift+click the reload button) it's not 100% live.

-Craig

On Wed, Aug 25, 2021 at 1:04 PM Jim Rx  wrote:
>
> Craig,
>
> Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account.
>
> Thanks,
>
> Jim
>
>
> Sent: Wednesday, August 25, 2021 at 2:59 PM
> From: "Craig Sawyer" 
> To: user@guacamole.apache.org
> Subject: Re: New Active Directory users not showing in user list
> They won't show up until after they login. LDAP requests from Guac are
> only triggered when an auth request happens. The corresponding guac
> account will then be created on the fly as it were. There is no
> "sync" between AD <-> Guac, except at login time.
>
> If they are unable to login, but everyone else can, then it's
> probably one of two things:
>
> 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
> see the new users
> 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
> not matching against this filter.
>
> -Craig
>
> On Wed, Aug 25, 2021 at 12:42 PM Jim Rx  wrote:
> >
> > Hello,
> >
> > I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation.
> >
> > I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy.
> >
> > /etc/guacamole.properties looks like this:
> > ###
> > guacd-hostname: localhost
> > guacd-port: 4822
> > user-mapping: /etc/guacamole/user-mapping.xml
> > auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
> >
> > mysql-hostname: localhost
> > mysql-port: 3306
> > mysql-database: guacamole_db
> > mysql-username: guacamole_user
> > mysql-password: supersecretpassword
> >
> > ldap-hostname: 10.x.x.10
> > ldap-port: 389
> > ldap-encryption-method: none
> > ldap-user-base-dn: DC=mynet, DC=local
> > ldap-username-attribute: sAMAccountName
> > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local
> > ldap-search-bind-password: supersecretpassword
> > ldap-user-search-filter: (sAMAccountType=805306368)
> > ###
> >
> > right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked:
> > /var/log/syslog
> > /var/log/nginx/guac_access.log
> > /var/log/nginx/guac_error.log
> > /var/log/tomcat9/catalina.out
> >
> > I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI).
> >
> > Any suggestions would be greatly appreciated.
> >
> > Thanks
> >
> > Jim
> >
> >
> > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
> - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
 




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: New Active Directory users not showing in user list

[Jim Rx]

Craig,

 

Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account.

 

Thanks,

 

Jim

 
 

Sent: Wednesday, August 25, 2021 at 2:59 PM
From: "Craig Sawyer" 
To: user@guacamole.apache.org
Subject: Re: New Active Directory users not showing in user list

They won't show up until after they login. LDAP requests from Guac are
only triggered when an auth request happens. The corresponding guac
account will then be created on the fly as it were. There is no
"sync" between AD <-> Guac, except at login time.

If they are unable to login, but everyone else can, then it's
probably one of two things:

1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
see the new users
2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
not matching against this filter.

-Craig

On Wed, Aug 25, 2021 at 12:42 PM Jim Rx  wrote:
>
> Hello,
>
> I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation.
>
> I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy.
>
> /etc/guacamole.properties looks like this:
> ###
> guacd-hostname: localhost
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
> auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
>
> mysql-hostname: localhost
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: supersecretpassword
>
> ldap-hostname: 10.x.x.10
> ldap-port: 389
> ldap-encryption-method: none
> ldap-user-base-dn: DC=mynet, DC=local
> ldap-username-attribute: sAMAccountName
> ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local
> ldap-search-bind-password: supersecretpassword
> ldap-user-search-filter: (sAMAccountType=805306368)
> ###
>
> right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked:
> /var/log/syslog
> /var/log/nginx/guac_access.log
> /var/log/nginx/guac_error.log
> /var/log/tomcat9/catalina.out
>
> I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI).
>
> Any suggestions would be greatly appreciated.
>
> Thanks
>
> Jim
>
>
> - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
 




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

New Active Directory users not showing in user list

[Jim Rx]

Hello,

 

I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation.

 

I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy.

 

/etc/guacamole.properties looks like this:

###

guacd-hostname: localhost

guacd-port: 4822

user-mapping: /etc/guacamole/user-mapping.xml

auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

 

mysql-hostname: localhost

mysql-port: 3306

mysql-database: guacamole_db

mysql-username: guacamole_user

mysql-password: supersecretpassword

 

ldap-hostname: 10.x.x.10

ldap-port: 389

ldap-encryption-method: none

ldap-user-base-dn: DC=mynet, DC=local

ldap-username-attribute: sAMAccountName

ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local

ldap-search-bind-password: supersecretpassword

ldap-user-search-filter: (sAMAccountType=805306368)

###

 

right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked:

/var/log/syslog

/var/log/nginx/guac_access.log

/var/log/nginx/guac_error.log

/var/log/tomcat9/catalina.out

 

I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI).

 

Any suggestions would be greatly appreciated.

 

Thanks

 

Jim

 

 

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org